Cloud computing is getting increasing attention as more and more companies are availing of cloud based services and as the maturity of cloud services evolves.

Know what you want from your solution

As with any new technology trend, it’s important to remember that certain basic principles apply, particularly from a customer’s perspective, when they are assessing the costs and benefits of cloud based services. In this post, I would like to cover some of these basic principles, in the areas of features/requirements analysis, security and regulation.

In a previous post, I wrote about the importance of a business understanding the requirements and features that they wanted from an IT solution before getting too far into the selection process. I think it’s important to remember that just because a particular IT solution is delivered using cloud based services, if it doesn’t have the features that a business requires, then the use of cloud based services won’t make up that gap.

If there are solutions in the marketplace that do provide the required features either through an on-premise or hosted model, then irrespective of the other advantages of the cloud based services, it’s important that these candidates are not over-looked, just because they are not cloud based.

Cloud wash – watch out for the real thing

‘Cloud wash’ is a term being increasingly used to describe IT solutions that are being described as cloud based but yet when they are examined in detail, they are missing standard characteristics that would be expected from a cloud based service offering. For marketing purposes, service providers may take a decision to describe their solutions as cloud based, in order to ‘attract’ potential customers, but in the end, this practice will only lead to a bad customer experience with no winners.

What benefits should a cloud service provide

In reviewing a cloud based service and concluding that the businesses features and requirements are met, then the additional potential benefits of the cloud based service can then be assessed;

1. The pay as you go model which eliminates the need for an upfront licence payment and can enable a business to categorise the spending as current rather than as capital.
2. The ability to leverage off ongoing enhancements to the cloud based service that are being delivered by the service provider due to the benefits of multi-tenancy.
3. The ability to quickly scale your use of service as your business requires; scaling up to meet peak demands and scaling down as demand drops
4. An ability to customise your service to suit your own particular requirements. For example, to use a particular database operating system, use additional storage, additional processors for your server or a particular workflow on your software application.

Securing your data in the cloud

Depending on the sensitivity of the data that will be stored on your cloud based service, a business will need to discuss their security requirements to ensure that the data is processed securely. The starter for this discussion will be the business’s current approach to securing the data.

However the business should have an objective to increase the security levels by leveraging the potential security enhancements that the cloud services provider can provide given that the service is shared by many customers, thus lowering operating costs and enabling the service provider to deliver extra functionality. A key benchmark for any services provider is their ability to deliver enhanced functionality to their customers (i.e. demonstrating the practical benefits of multi-tenancy).

In their cloud computing security assessment, ENISA discussed both the potential benefits and risks of cloud computing and the option for service providers to use security as a market differentiator. Another worthwhile document to read, to get guidance on potential security risks and how to resolve them, when using cloud based services is the guide from Cloud Security Alliance. This guide provides good insight into the governance and operating procedures which should be provided by cloud based service suppliers to customers.

The Cloud and Regulation

Both these documents also look at the potential regulation risks when using cloud based services. To use data protection regulations as an example, there are eight rules/principles that provide an overview on the responsibilities when collecting personal data. In summary, the eight rules are;

1. As data is being collected on individuals, they should be aware of why the data is being gathered and what it will be used for
2. Any data gathered by a company should be retained for a specific purpose
3. The data should be only be processed in a way that is compatible with it’s purpose. A clear set of rules should be established for disclosing any of this information
4. The data should be securely stored at all times
5. The data should be kept up to date and accurate
6. The data should be relevant and adequate for the its purpose and any unnecessary data should not be gathered
7. The data should not be retained for longer than is necessary
8. If an individual requests a copy of their data that is being held, a full copy should be made available

As you can see, there is some overlap between the various rules, particularly in the area of the purpose and intention for gathering the information. Some of the rules relate more to process requirements when using the information, then to the type of technology being used. For example, a company will need a process to ensure that as data is being gathered, the individual is offered a full explanation and consents where necessary. Such a process is required irrespective of whether cloud based or on-premise technology is being used.

With other rules, such as not retaining the data longer than necessary, then the previous system features that enable a business to monitor and administer data to ensure that it is only retained as needed, should be replicated at least to the same level with the cloud service. Equally, the need to store data securely will provide a set of requirements that the cloud service provider will need to meet. This relates to the initial point in this post to the importance of a business knowing it’s requirements before it jumps to the cloud.

So where will my data reside ?

One important area that cloud service providers need to be aware of in relation to data protection is the area of jurisdiction and location of data. On it’s own, this has been a topic of many blog posts, in summary form, European data regulations sets out requirements that either look to have data located in the European Economic Area or located in a country with a recognised equivalent standard such as the Safe Harbour principles in the US or where the data is the subject of a model agreement as recognised by the EU.

The key point that I would like to make here is that in order to provide the required availability SLA requirements, cloud service providers should have clear ‘ecosystem’ charts showing where the data is being stored and it’s potential backup locations throughout the service providers data network. This will enable customers and the service providers to decide whether any additional agreements are needed to meet regulatory requirements.

In this post, I wanted to cover a number of points that I think are important when a business is thinking of moving to cloud based services. Some of the points are basic principles that are relevant for any IT project and I hope others are helpful to resolve any barriers to leverage the benefits of cloud services.